Microsoft Office Vulnerability Exploited via PowerPoint Slide Show (.ppsx) Attachments

A trojan identified by the cybersecurity firm Trend Micro as TROJ_CVE20170199.JVU is exploiting a remote code execution vulnerability, CVE-2017-0199, via Microsoft PowerPoint Slide Show email attachments. In the observation made by Trend Micro, the threat actor sent a spearphishing email, supposedly from a cable manufacturing provider, containing a malicious.ppsx attachment that, once opened, installs the TROJ_CVE20170199.JVU trojan. The trojan downloads a “logo.doc” file from its C2 server that downloads and executes the RATMAN.exe executable file. The executable provides the remote threat actor with the ability to execute code on the targeted system. The observed attacks have targeted companies in the electronics manufacturing industry. The NJCCIC recommends our members review the Trend Micro analysis and ensure all end users are continually informed of the latest email-based threats and tactics. If possible, organizations are advised to consider technology solutions that run new files in isolation and determine their security risk before opening on the end user's computer. Otherwise, users must be aware that malicious emails may arrive from legitimate accounts, internal or external, that have been compromised and used to send a weaponized attachment that may conform with the user's expectations and may not raise suspicion. While it may be impractical, organizations can encourage employees to contact email senders via phone, chat applications, text message, or video chat, to confirm the legitimacy of files before opening.